nanog mailing list archives
Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")
From: Jeffrey Haas <jhaas () pfrc org>
Date: Mon, 21 Oct 2019 15:37:11 -0400
On Oct 21, 2019, at 3:25 PM, Brandon Martin <lists.nanog () monmotha net> wrote: On 10/21/19 11:30 AM, Keith Medcalf wrote:Why cannot one just put the MD5 authenticated connection inside a TLS connection? What is the advantage to be gained by replacing the authentication mechanism with weaker certificate authentication method available with TLS?Self-issued certificates with either CA pinning or end-certificate hash pinning is arguably more secure than a shared passphrase as used by TCP-MD5 in that someone with knowledge of the secrets of one end cannot use it to impersonate the other end whereas a shared passphrase is inherently shared and symmetric in that respect. Whether that really provides much value in the context of a BGP session is perhaps questionable.
Considering a lot of hand-wringing from the various security conscious folk is over the ability to easily re-key, I think it mostly just complicates things. Certs are effectively a much nicer single use key. Exactly how the cert lifetime interacts with peering sessions is likely to be several flavors of ugly.
Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and difficulty of configuration aside)? It would also solve the TCP-RST injection issues that TCP-MD5 was intended to resolve. You can use null encryption with ESP or even just AH if you want authentication without confidentiality, too. Or are we all going to admit that ipsec is almost dead in that it's just too darned complex? Just run BGP over TCP as normal and install a security policy that says it must use ipsec with appropriate (agreed-upon) authentication. "Just", right?
BGP over ipsec works fine. But that said, it's mostly done with pre-shared keys. The ugly issue of ipsec is that the ecosystem really wants IKE to do the good things people associate with long lived sessions. I don't even vaguely pretend to be an ipsec/ike expert, but the wrangling over this and router bootstrapping issues generated a lot of heat and a small amount of light in IETF a while back. And if you have a rather scaled out router, imagine the cpu melting that goes with a cold startup scenario where you have to get all of those IKE sessions up to start up your BGP. Now think what that does to your restart time. -- Jeff
Current thread:
- RE: BGP over TLS, (continued)
- RE: BGP over TLS Keith Medcalf (Oct 22)
- Re: BGP over TLS Chris Adams (Oct 22)
- Re: BGP over TLS Brandon Martin (Oct 22)
- Re: BGP over TLS Jared Mauch (Oct 22)
- RE: BGP over TLS Keith Medcalf (Oct 22)
- Re: BGP over TLS Jared Mauch (Oct 22)
- Re: BGP over TLS Bjørn Mork (Oct 22)
- Re: BGP over TLS Christopher Morrow (Oct 22)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brandon Martin (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brielle (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Jeffrey Haas (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brandon Martin (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Jeffrey Haas (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brandon Martin (Oct 21)
- Re: BGP over TLS Bjørn Mork (Oct 21)
- Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Jared Mauch (Oct 21)
- RE: "Using Cloud Resources to Dramatically Improve Internet Routing" Keith Medcalf (Oct 20)
- Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Valdis Klētnieks (Oct 11)
- Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Karsten Thomann via NANOG (Oct 20)